Exadata After-Patching Action

Every time after Oracle engineers patch Exadata, security may be unduely tightened, and some settings are incorrectly put in place. Correct them as follows.

* To allow non-root user to view useful messages

# chmod o+r /var/log/messages* /var/log/maillog*

* To allow non-root user to run `last'

# chmod o+r /var/log/wtmp

* To not time out session

# vi /etc/ssh/sshd_config #comment out these two lines
ClientAliveInterval 600
ClientAliveCountMax 3
# systemctl restart sshd
# vi /etc/profile #comment out this line
TMOUT=14400

Also, make sure your own ~/.bash_profile doesn't have TMOUT environment variable set.

* To solve the error "You (oracle) are not allowed to use this program (crontab)"

#vi /etc/cron.allow #add oracle

* To solve the error "error: Could not load host key: /etc/ssh/ssh_host_dsa_key"

Make sure /etc/ssh/ssh_host_rsa_key is not 0 in size (it's OK to not have ssh_host_dsa_key and ssh_host_dsa_key.disabled exists)
# vi /etc/ssh/sshd_config #uncomment this line
HostKey /etc/ssh/ssh_host_rsa_key
# systemctl restart sshd

* To solve the error "Ignoring invalid environment assignment 'export SSH_USE_STRONG_RNG=0': /etc/sysconfig/sshd" in /var/log/messages

# vi /etc/sysconfig/sshd #remove "export " from this line
export SSH_USE_STRONG_RNG=0
# systemctl restart sshd

* To allow FUSE (Filesystem in Userspace) such as DBFS to mount

#vi /etc/fuse.conf #uncomment user_allow_other

----------------------------------------------------------------------------------------------------

Other changes

* Check /etc/oratab. Make sure +ASM1, +ASM2, etc. still exist. If there're new lines added for running instances but without instance numbers (e.g. mydb instead of mydb1 on node 1), you may delete them.
* Check use_large_pages in +ASM* instance. Make sure it's false, otherwise the ASM instance would use HugePages (since it's started before RDBMS instances).
* If you use Tivoli client for tape backup, make sure it still works.